Personal Data Protection Inspector - when is it needed?

Service

The GDPR requires some personal data administrators to appoint a Personal Data Protection Officer (DPO). All state authorities, entities processing sensitive data on a large scale and entities whose main activity is to monitor people on a large scale are required to appoint a DPO. When is the Personal Data Protection Inspector needed?

Who is the Personal Data Protection Inspector (DPO)?

The Personal Data Protection Inspector is a person appointed by the administrator or processor to assist in the compliance with the provisions on the protection of personal data in the company or organization. The DPO acts as an intermediary between the interested entities (the Office for Personal Data Protection, the data processor and the data subject). In addition, the Personal Data Protection Inspector ensures the implementation of the accountability principle - helps in the preparation of a risk assessment or assessment of the effect of personal data protection.

The tasks of the Personal Data Protection Officer are:

  • informing the administrator, processor and employees about the obligations regarding the protection of personal data resulting from the GDPR,

  • advising on how to comply with the provisions on the protection of personal data,

  • monitoring compliance with provisions and policies in the field of personal data protection,

  • assisting in the preparation of a risk assessment or impact assessment for the protection of personal data,

  • maintaining confidentiality in relation to the tasks performed under the protection of personal data,

  • acting as a contact point for the supervisory authority.

Attention!
The Personal Data Protection Inspector is not responsible for non-compliance with the GDPR. The obligation to properly comply with the provisions on the protection of personal data rests with the controller or the processor. The DPO can be compared to the role of an assistant, consultant.

Who needs to appoint a DPO?

Public entities, entities processing sensitive data on a large scale and entities whose main activity is the large-scale monitoring of persons are required to appoint a DPO. Other entities may also appoint a DPO, but it is not obligatory for them. However, if, despite the lack of such an obligation, they appoint a DPO, they should act in accordance with the requirements for him (with regard to tasks, the role of the inspector).

Working Group 29, i.e. a team of experts appointed to issue guidelines in the field of GDPR, recommends that if a given entity is not obliged to appoint a DPO, it should prepare documentation justifying it.

Who to entrust the function of the DPO - an employee or an external entity?

The Personal Data Protection Inspector may be an employee of the administrator or processor or perform tasks under a contract for the provision of services.

A group of companies may appoint one DPO if it is easy to contact them from each of these entities, from each organizational unit. In order to facilitate contact, the entity that appointed the inspector should make his contact details public.

The Personal Data Protection Inspector is not recalled or punished by the administrator or the processor for fulfilling his tasks. It reports directly to the top management of the controller or processor.

On the other hand, it may be revoked in justified cases, for reasons that apply, e.g. in the employment relationship or under contracts, e.g. harassment, theft, serious breach of obligations. This applies to employee inspectors as well as external inspectors. The GDPR does not explain how and when the DPO can be revoked and replaced by another person - it depends on the entity that appointed the inspector.

Start a free 30-day trial period with no strings attached!

How to appoint a DPO?

The Personal Data Protection Officer is appointed on the basis of professional qualifications, in particular professional knowledge of data protection law and practices, and the ability to fulfill tasks in the field of personal data protection.

Obligations for controllers or processors related to DPOs:

  • immediate inclusion of the Personal Data Protection Officer in matters related to the protection of personal data;

  • providing the DPO with the necessary materials to enable him to perform his role, e.g. access to personal data, processing operations and access to expertise;

  • informing employees about the appointment of a DPO;

  • not giving instructions to the DPO on how to perform their tasks - data protection officers - whether or not they are employees of the controller - should be able to perform their duties and tasks independently;

  • if one of the employees becomes an inspector, adequate working time should be ensured for the DPO's tasks, so that these tasks do not interfere with other duties.

The controller or the processor must publish the contact details of the inspector and notify the supervisory authority, i.e. the President of the Personal Data Protection Office, of them.

When and who should be notified about the appointment of the Personal Data Protection Officer?

The supervisory body, i.e. the President of the Personal Data Protection Office, should be notified about the appointment of a DPO. The deadlines within which the notification should be made are specified in the Polish amended Act on the Protection of Personal Data.

If the administrator appoints a DPO, the notification should be made:

  • until September 1, 2018 - when the administrator appointed an ABI before May 25, 2018 and decides that the same person will act as the Personal Data Protection Officer (Article 158 (1) and (2) of the new Act),

  • until September 1, 2018 - when the administrator appointed the information security administrator (ISA) before May 25, 2018, but he wants to appoint another person to act as the Personal Data Protection Inspector (Article 158 (1) of the new Act),

  • until July 31, 2018 - when the administrator did not appoint an ABI before May 25, 2018 (Article 158 (4) of the new Act),

  • within 14 days from the date of designating the data protection officer - when the administrator did not appoint an ABI before May 25, 2018, but decides to voluntarily appoint a Personal Data Protection Inspector (Article 10 of the new Act).

For processors that:

  • are obliged to appoint a DPO - the notification should take place by July 31, 2018 (Article 158 (5) of the new Act),

  • are not obliged to appoint a DPO, and they decide to appoint such a person - the notification should take place within 14 days from the date of appointment (Article 10 (1) of the new Act).

The notification of appointment of the DPO should include:

  • name, surname and e-mail address or telephone number of the inspector,

  • name and surname and address of residence - if the controller or processor is a natural person,

  • the entrepreneur's company and the address of the place of business, if the administrator or processor is a natural person running a business,

  • the full name and address of the registered office, if the controller or processor is an entity other than the one indicated in the above points,

  • REGON, if it has been assigned to the administrator or processor.

Notifications about the appointment of a DPO should be made in electronic form and affixed with a qualified electronic signature or a signature confirmed by a trusted ePUAP profile. After May 25, 2018, an electronic form for this purpose will be available on the office's website.

Notification may also be made by the appointing entity's proxy. A power of attorney granted in electronic form is attached to the notification.